FIM-CLM
hi,
I have configured the FIM-CLM. But i doesnt know how to work with it.When i request the certificate for the user,it doesnt gone for any request and approval process. it get execute and status shows completed.
For the SMART CARD , its throws u "Invalid smart card serial number. Smart card information not available for the supplied smart card."
I am using OMNIKEY SMART READER and HID Cresendo C700 card..
Regards,
Sridhar.R
October 11th, 2010 9:46am
What kind of certificate workflow do you want to realize: Self-Service, Manager-initiated?
What smartcard middleware are you trying to use?
To get more familiar with FIM-CM I recommed to check if the "CLM Sample Profile" works in your environment. With only a few configuration settings you can deploy a self-service scenario in which a user with the appropriate permissions can initiate and enroll
a soft certificate to its local certifcate store
In the next step you can modify the scenario in such a case that not the end use itself, but a cetificate manager initiates the certificate request, FIM-CM distributes a one-time-password and the end user can enroll the soft certificate in conjunction with
the one-time-password.
To deploy the sceanrios I recommend
this
Finally if you got this running you can move from distributing soft certificates to smartcards.
/Matthias
/Matthias
Free Windows Admin Tool Kit Click here and download it now
October 11th, 2010 10:25am
SAFESIGN -Middle ware.
Thanks for the reply.
October 12th, 2010 1:57am
I have succeeded with self service ,Then i have set up CM for active directory permission.When requesting for certificate it executes without any approval of Approvers,Enrollmentagents,ProfileAdmins...Below i have attached the Review details of a request
You can review details of your particular request. If appropriate, you can then execute or abandon the request.
General Information
Type:
Enroll
Status:
Completed
Originator:
FIM\Subscriber1
Target:
FIM\Subscriber1
Submission date:
Tuesday, October 12, 2010 4:24:15 PM
Comments:
Data collection completed:
Profile template used:
USER FIM CM Sample Profile Template
Registration Information
This section displays data collected during the request’s processing
Sample Data Item:
Subscriber Request a certifica
Advanced Information
Expand this section to display information about the profile from which the request was made, as well as the newly-created profile.
Certificates In Target Profile
This section lists the certificates added to profile when the request completed.
<input id="requestDataControlxcertificatesOnProfileUserControlxGridCertificates" name="requestDataControlxcertificatesOnProfileUserControlxGridCertificates" type="hidden" />
Common name
Certificate template
Status
Archived
Expires
11
Subscriber1
User
Valid
10/12/2011 4:14 PM
False
<tfoot onmousedown="igtbl_headerClickDown(event,"requestDataControlxcertificatesOnProfileUserControlxGridCertificates");" onmouseup="igtbl_headerClickUp(event,"requestDataControlxcertificatesOnProfileUserControlxGridCertificates");" onmouseover="igtbl_headerMouseOver(event,"requestDataControlxcertificatesOnProfileUserControlxGridCertificates");"
onmousemove="igtbl_headerMouseMove(event,"requestDataControlxcertificatesOnProfileUserControlxGridCertificates");" onmouseout="igtbl_headerMouseOut(event,"requestDataControlxcertificatesOnProfileUserControlxGridCertificates");">
</tfoot>
History
Expand this section to view the request’s history.
<input id="UltraWebGrid1" name="UltraWebGrid1" type="hidden" />
Action
User
Time
Event Details
Create Request
FIM\Subscriber1
10/12/2010 4:24 PM
Approve Request
FIM\clmAgent
10/12/2010 4:24 PM
Execute Request
FIM\Subscriber1
10/12/2010 4:24 PM
Create Profile
FIM\Subscriber1
10/12/2010 4:24 PM
Send Request To CA
FIM\Subscriber1
10/12/2010 4:24 PM
Retrieve Response From CA
FIM\Subscriber1
10/12/2010 4:24 PM
Request Certificates Operation Completed
FIM\Subscriber1
10/12/2010 4:24 PM
Install Certificate
FIM\Subscriber1
10/12/2010 4:24 PM
<tfoot onmousedown="igtbl_headerClickDown(event,"UltraWebGrid1");" onmouseup="igtbl_headerClickUp(event,"UltraWebGrid1");" onmouseover="igtbl_headerMouseOver(event,"UltraWebGrid1");" onmousemove="igtbl_headerMouseMove(event,"UltraWebGrid1");"
onmouseout="igtbl_headerMouseOut(event,"UltraWebGrid1");">
</tfoot>
Free Windows Admin Tool Kit Click here and download it now
October 12th, 2010 7:07am
Do you expect an approval step, but the request is executable without approval?
Have you configured your FIM CM profile template "USER FIM CM Sample Profile Template" correctly?
Change the general settings of the Enroll policy
Deselect "Use self serve" Number of Approvals = 1
and in the section "Workflow: Approve Enroll Requests"
Select a appropiate AD user / group that should approve the request
/Matthias/Matthias
October 12th, 2010 7:37am
yes i like to do an approval step process
I have copied the default FIM CM Sample Profile Template and using it as per FIM 2010 TECH NET SITE
I have deselect the "Use self serve", Then i can't able to request for certificate,i got these error
"Current user does not have access to any profile templates"
If i have checked the "Use self serve" ,Request can be processed..I think i have done mistake in profile template creation.
Free Windows Admin Tool Kit Click here and download it now
October 12th, 2010 8:59am
No, your permission settings are incorrect. You may need three different roles/groups:
Subscribers: all users who should execute the cert request Managers: all users who should be able to initiate the cert request Approvers: all users who should approve a cert request
Can you post the permissions you configured on the 5 magic FIM CM points?
1. Service Connection Point
2. FIM CM profile template
3. Certificate template
4. Target User group, e.g. Subscribers
5. CM Enroll policy
/Matthias
October 12th, 2010 9:12am
hi Matthias,
Workflow: General
This section displays workflow information related to enrollment of this profile template.
Policy enabled:
Yes
Self service enabled:No
Enrollment agent required: Yes
Allow collection of comments: Yes
Allow collection of request priority:Yes
Default request priority: 0
Number of approvals: 1
Number of active or suspended profiles/smart cards allowed: Unlimited
Workflow:Initiate Enroll Request
NTauthority\system
GRANT
FIM\Subscribers
GRANT
FIM\Initiators
GRANT
Workflow:Approve Enroll Request
NTauthority\system
GRANT
FIM\Approvers
GRANT
Workflow:Enroll Agent for Enroll Request
NTauthority\system
GRANT
FIM\Enrollmentagent
GRANT
here the enroll policy settings of my Profile template
2 ) Service not found
Under "Configuring the FIM CM Service" in technet they have given in "Step 5: Configure FIM CM to start automatically"
certificate management Services,But in my FIM CLM server ,I cant find service running on these name...In my server,i have seen the services are
"Certificate Propagation" and " Forefront Identity Manager CM Update Service " .Need to clarify where is the certificate management Service..Whether i have missed something while configuring...
Free Windows Admin Tool Kit Click here and download it now
October 13th, 2010 2:05am
your scenario require the followig permission configuration:
Service Connection Point
FIM\Initiators: Read, CM Request Enroll
Active Directory Groups FIM\Subscribers
·
FIM\Initiators: Read, CM Request Enroll
FIM CM profile template
·
FIM\Initiators: Read
·
FIM\Subscriber: Read, CM Enroll
Certificate template
·
FIM\Subscriber: Read, Enroll
FIM CM Management Profile Template
·
General Settings
o
Policy enabled:
Yes
o
Self service enabled: No
o
Enrollment agent required: No
o
Number of approvals:
1
·
Enroll Policy
o
Workflow:Initiate Enroll Request: FIM\Initiators GRANT
o Workflow:Approve
Enroll Request: FIM\Approvers GRANT
/Matthias
October 14th, 2010 3:17am
hi,
when i initiate a certificate request through an initiator for the testuser,its request status is pending..below is the review status of the approver
Status Type
Submiited Date
Orginator
Target Priority
Comments DN
Pending
Enroll
10/14/2010 FIM\Initiator
FIM\carduser 0
Unknown
there is no option for approver to execute the Request...
Free Windows Admin Tool Kit Click here and download it now
October 15th, 2010 2:49am
add the following permissions:
Service Connection Point
FIM\Approvers: Read, CM Audit
FIM
CM profile template
FIM\Approvers: Read
/Matthias
October 15th, 2010 2:56am
hi matthias,
yet I am facing the same problem,not yet succeeded with manager initiate...
Error:
Active Directory Certificate Services could not process request 21 due to an error: ASN1 bad tag value met. 0x8009310b (ASN: 267). The request was for FIM\CLMUSER. Additional information: Error Parsing Request
Free Windows Admin Tool Kit Click here and download it now
October 19th, 2010 8:57am
typically this error corresponds with clmAgent certificate problems.
At which point of the workflow the error comes in place? During the manager initiation process? During the user execution process ?
Is your clmAgent certificate operational, aka not expired ? Did you renew this certificate in the past?
/Matthias
October 19th, 2010 9:18am
Yes i have renewed the Certificate...I need a clarification on the flow Of Manager Initiate..
Initiator will initiate the Certificate for the user
Approver will approve the request..
The certificate will be Executed .Profile will be created,Request to CA,Request operation completion and installation of Certiificate..please correct if i am wrong..
**********************************************************************************************************************************
below is my error details
1) When i request the Certificate through initiator ,Status requests is pending...
Create Request FIM\initiator
Approve Request FIM\CLMAgent...here when ever i request the for certiifcate it shows approve request to CLMAGENT,it does not go to Approver..the status of the certiifcate in pending...
You can review the details of a particular request, and change related information for it, as your permissions allow.
General Information
Type:
Enroll
Status:
Pending
Originator:
FIM\CLMUSER
Target:
FIM\CLMUSER
Submitted at:
Thursday, October 21, 2010 5:07:52 PM
Comments:
sdsdsddddddddcdscscdc
Data collection complete:
Profile template used:
Copy 2 Of FIM CM Sample Profile Template
Request priority:
0
History
Expand this section to view the request’s history.
.UltraWebGrid1-0-ic{ overflow:hidden; text-overflow:ellipsis; border-left-width:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;}.UltraWebGrid1-0-aic{ overflow:hidden; text-overflow:ellipsis; border-left-width:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;}.UltraWebGrid1-0-rlc{
overflow:hidden; text-overflow:ellipsis;text-align:center;}.UltraWebGrid1-0-hc{ overflow:hidden; text-overflow:ellipsis;}.UltraWebGrid1-0-fc{ overflow:hidden; text-overflow:ellipsis;}.UltraWebGrid1-hc{ overflow:hidden; text-overflow:ellipsis;}.UltraWebGrid1-shc{
overflow:hidden; text-overflow:ellipsis;}.UltraWebGrid1-fc{ overflow:hidden; text-overflow:ellipsis;} @media print{.UltraWebGrid1-crc THEAD{padding-top: 1px;}#UltraWebGrid1_main, #UltraWebGrid1_div, .UltraWebGrid1-crc{overflow: visible !important;}} <input
id="UltraWebGrid1" name="UltraWebGrid1" type="hidden" />
Action
User
Time
Event Details
Create Request
FIM\CLMUSER
10/21/2010 5:07 PM
sdsdsddddddddcdscscdc
<tfoot>
</tfoot>
*********************************************************************************************************************************
2 ) Service not found
Under "Configuring the FIM CM Service" in technet they have given in "Step 5: Configure FIM CM to start automatically"
certificate management Services,But in my FIM CLM server ,I cant find service running on these name...In my server,i have seen the services are
"Certificate Propagation" and " Forefront Identity Manager CM Update Service " .Need to clarify where is the certificate management Service..Whether i have missed something while configuring...
Free Windows Admin Tool Kit Click here and download it now
October 21st, 2010 1:54am
The service you're missing is the FIM CM Update Service, which automates task of generating requests for renewals or updates for existing smart cards and certificates.
It's an optional component and not (!) needed for basisc/standard workflows.
If you're missing the service you probably didn't select during the inital setup of FIM CM.
/Matthias/Matthias
October 21st, 2010 7:44am
Hi,
When you have a new card (means the card is new to your FIM CM environment), insert it into your cardreader and then in FIM CM choose "View details of the smart card currently in the reader" and get this message "Invalid smart card serial number. Smart card
information not available for the supplied smart card", dont worry.
This does not mean your card is not usable. Just issue the certificates to your card (e.g. by running "Enroll a user for a new set of certificates or a smart card", choosing your target user and then running "Issue a permanent smart card to this user");
this will just work. And starting from now you can also view details of the smart card without getting the invalid serial number message.
cheers, alphalz
Free Windows Admin Tool Kit Click here and download it now
June 29th, 2012 2:31am